Using security_groups instead of the correct vpc_security_group_ids on an instance within VPC results in instance recreation on each apply

[andywirv]

Terraform Version

Terraform v0.10.2

Affected Resource(s)

Please list the resources as a list, for example:

• aws_instance
• aws_security_group

Terraform Configuration Files

provider "aws" {
  profile                 = "[profile_name]"
  shared_credentials_file = "[path to].aws/credentials"
  region                  = "eu-west-1"
}

resource "aws_vpc" "example_vpc" {
  cidr_block = "10.1.0.0/16"
}

resource "aws_subnet" "example_subnet" {
  vpc_id                  = "${aws_vpc.example_vpc.id}"
  cidr_block              = "10.1.0.0/24"
  availability_zone = "eu-west-1a"
  map_public_ip_on_launch = false
}

resource "aws_instance" "example_instance" {
  ami                         = "ami-33776655"
  associate_public_ip_address = false
  availability_zone           = "eu-west-1a"
  instance_type               = "t2.micro"
  security_groups = ["${aws_security_group.example_1.id}"]
  subnet_id         = "${aws_subnet.example_subnet.id}"
}

resource "aws_security_group" "example_1" {
  vpc_id="${aws_vpc.example_vpc.id}"
  name = "access-https"
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Debug Output

This dumps a load of PII from the AWS Provider. If it is really needed I can provide a redacted version

Panic Output

N/A

Expected Behavior

Error on the first apply for using security_groups with an aws_instance assigned to an aws_subnet within an aws_vpc

OR

Carry on being kind and figure out that the intention was to attach the vpc_security_group_ids as done on first apply. Maybe output a warning that the wrong argument is being used.

Actual Behavior

On first terraform apply the VPC security groups are linked to the instance within the VPC subnet. Running terraform apply a second time (with no changes) results in the instance being recreated

Steps to Reproduce

1. terraform apply
2. terraform apply

Important Factoids

N/A

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:
Similar to this: hashicorp/terraform#14416

[frosas]

IMO, this can be closed in favor of #1799 or #1993.

[bflad]

Hi everyone! Sorry you have been having trouble with this aws_instance bug relating to vpc_security_group_ids. It turns out this has been reported and discussed in quite a few separate issues (#1445, #1799, #1993, #2034, #2036, #2319). In order to consolidate efforts, I am closing everything except #1993 which seems to have the most thorough information at the moment. I would suggest voting on and following that issue for future updates.

Due to the high volume of reports surrounding this, the maintainers will be looking into this sometime in the near future (including the already open PRs: #1911, #2338). There are some nuances around this configuration that make it harder than a quick fix and we certainly do not want to make the situation worse. We'll keep you updated.

As a friendly reminder: voting with 👍 reactions on the original issue/PR comment is the best way to get our attention.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!